Unit 2: The GDPR in practice

You have been introduced to the basic principles of GDPR and you now understand that this has implications for schools. In this unit, you will learn more about how GDPR will work in practice in your school.

Here’s a recap of what you learned in Unit 1:

• Data protection is embedded in law through the Data Protection Act 1998 (DPA).
• It is overseen by the Information Commissioner’s Office (ICO).
• Personal data is any information relating to an identified or identifiable person.
• Schools collect personal data about pupils, parents and staff.
• The DPA has eight principles; the GDPR has six principles.
• GDPR legislation will be in all EU countries and non-EU countries if they process data about EU citizens.
• GDPR will remain in force post-Brexit.
• There are bigger penalties under GDPR for non-compliance.
• GDPR focuses on individual protection, accountability and compliance.
• Schools will be required to appoint a data protection officer.

• Explore the definition of personal data in your school.
• Think about ways to embed a culture of data protection ownership among all staff.
• Consider school policies that are affected by GDPR.
• Learn about the legal basis for processing personal data.
• Explore the eight rights for individuals provided by GDPR.
• Understand data protection impact assessments.